Open Web Application Security Project (OWASP)

This talk highlights important lessons in scaling the software security touchpoints described in the book Software Security and making them work efficiently and effectively in a global software security initiative. The talk will focus on the top three touchpoints, discussing tools, technology, people and processes for each:

Code review with a static analysis tool. What is better, a centralized factory model or tools on all developers desktops? How do you set things up to fix what you find? How do you avoid rejection of a complex toolset that requires real expertise to use? What about frameworks that are in common use but stymie current commercial tools? Are false positives a real issue?

Architectural risk analysis. How do you even begin to scale something requiring so much expertise and experience to the enterprise? What kinds of knowledge make this process more efficient? How do you gather intelligence about threats? What are the top ten security design flaws?

Penetration testing. What role should pen testing play in a software security initiative? Is it best to develop capability in house or hire outside experts? What kinds of access to design documents and source code should pen testers get? Does pen testing scale? How often should an application be tested?

Gary McGraw is the CTO of Cigital, Inc., a software security consulting firm with headquarters in the Washington, D.C. area and offices throughout the world. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications, authors a monthly security column for SearchSecurity and Information Security Magazine, and is frequently quoted in the press. Besides serving as a strategic counselor for top business and IT executives, Gary is on the Advisory Boards of Dasient (acquired by Twitter), Fortify Software (acquired by HP), Raven White, Max Financial, and Wall+Main. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Deans Advisory Council for the School of Informatics. Gary served on the IEEE Computer Society Board of Governors and produces the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine (syndicated by SearchSecurity).